Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

The following patchset contains Netfilter/IPVS updates for your
net-next tree. A couple of new features for nf_tables, and unsorted
cleanups and incremental updates for the Netfilter tree. More
specifically, they are:

1) Allow to check for TCP option presence via nft_exthdr, patch
   from Phil Sutter.

2) Add symmetric hash support to nft_hash, from Laura Garcia Liebana.

3) Use pr_cont() in ebt_log, from Joe Perches.

4) Remove some dead code in arp_tables reported via static analysis
   tool, from Colin Ian King.

5) Consolidate nf_tables expression validation, from Liping Zhang.

6) Consolidate set lookup via nft_set_lookup().

7) Remove unnecessary rcu read lock side in bridge netfilter, from
   Florian Westphal.

8) Remove unused variable in nf_reject_ipv4, from Tahee Yoo.

9) Pass nft_ctx struct to object initialization indirections, from
   Florian Westphal.

10) Add code to integrate conntrack helper into nf_tables, also from
    Florian.

11) Allow to check if interface index or name exists via
    NFTA_FIB_F_PRESENT, from Phil Sutter.

12) Simplify resolve_normal_ct(), from Florian.

13) Use per-limit spinlock in nft_limit and xt_limit, from Liping Zhang.

14) Use rwlock in nft_set_rbtree set, also from Liping Zhang.

15) One patch to remove a useless printk at netns init path in ipvs,
    and several patches to document IPVS knobs.

16) Use refcount_t for reference counter in the Netfilter/IPVS code,
    from Elena Reshetova.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

3 files changed, 18 insertions, 25 deletions

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index fa87fbd62bb7..d20b01b8d103 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -995,13 +995,10 @@ int br_nf_hook_thresh(unsigned int hook, struct net *net,
         if (!elem)
                 return okfn(net, sk, skb);
 
-        /* We may already have this, but read-locks nest anyway */
-        rcu_read_lock();
         nf_hook_state_init(&state, hook, NFPROTO_BRIDGE, indev, outdev,
                            sk, net, okfn);
 
         ret = nf_hook_slow(skb, &state, elem);
-        rcu_read_unlock();
         if (ret == 1)
                 ret = okfn(net, sk, skb);
 
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index 98b9c8e8615e..707caea39743 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -62,10 +62,10 @@ print_ports(const struct sk_buff *skb, uint8_t protocol, int offset)
                 pptr = skb_header_pointer(skb, offset,
                                           sizeof(_ports), &_ports);
                 if (pptr == NULL) {
-                        printk(" INCOMPLETE TCP/UDP header");
+                        pr_cont(" INCOMPLETE TCP/UDP header");
                         return;
                 }
-                printk(" SPT=%u DPT=%u", ntohs(pptr->src), ntohs(pptr->dst));
+                pr_cont(" SPT=%u DPT=%u", ntohs(pptr->src), ntohs(pptr->dst));
         }
 }
 
@@ -100,11 +100,11 @@ ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum,
 
                 ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
                 if (ih == NULL) {
-                        printk(" INCOMPLETE IP header");
+                        pr_cont(" INCOMPLETE IP header");
                         goto out;
                 }
-                printk(" IP SRC=%pI4 IP DST=%pI4, IP tos=0x%02X, IP proto=%d",
-                       &ih->saddr, &ih->daddr, ih->tos, ih->protocol);
+                pr_cont(" IP SRC=%pI4 IP DST=%pI4, IP tos=0x%02X, IP proto=%d",
+                        &ih->saddr, &ih->daddr, ih->tos, ih->protocol);
                 print_ports(skb, ih->protocol, ih->ihl*4);
                 goto out;
         }
@@ -120,11 +120,11 @@ ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum,
 
                 ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
                 if (ih == NULL) {
-                        printk(" INCOMPLETE IPv6 header");
+                        pr_cont(" INCOMPLETE IPv6 header");
                         goto out;
                 }
-                printk(" IPv6 SRC=%pI6 IPv6 DST=%pI6, IPv6 priority=0x%01X, Next Header=%d",
-                       &ih->saddr, &ih->daddr, ih->priority, ih->nexthdr);
+                pr_cont(" IPv6 SRC=%pI6 IPv6 DST=%pI6, IPv6 priority=0x%01X, Next Header=%d",
+                        &ih->saddr, &ih->daddr, ih->priority, ih->nexthdr);
                 nexthdr = ih->nexthdr;
                 offset_ph = ipv6_skip_exthdr(skb, sizeof(_iph), &nexthdr, &frag_off);
                 if (offset_ph == -1)
@@ -142,12 +142,12 @@ ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum,
 
                 ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph);
                 if (ah == NULL) {
-                        printk(" INCOMPLETE ARP header");
+                        pr_cont(" INCOMPLETE ARP header");
                         goto out;
                 }
-                printk(" ARP HTYPE=%d, PTYPE=0x%04x, OPCODE=%d",
-                       ntohs(ah->ar_hrd), ntohs(ah->ar_pro),
-                       ntohs(ah->ar_op));
+                pr_cont(" ARP HTYPE=%d, PTYPE=0x%04x, OPCODE=%d",
+                        ntohs(ah->ar_hrd), ntohs(ah->ar_pro),
+                        ntohs(ah->ar_op));
 
                 /* If it's for Ethernet and the lengths are OK,
                  * then log the ARP payload
@@ -161,17 +161,17 @@ ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum,
                         ap = skb_header_pointer(skb, sizeof(_arph),
                                                 sizeof(_arpp), &_arpp);
                         if (ap == NULL) {
-                                printk(" INCOMPLETE ARP payload");
+                                pr_cont(" INCOMPLETE ARP payload");
                                 goto out;
                         }
-                        printk(" ARP MAC SRC=%pM ARP IP SRC=%pI4 ARP MAC DST=%pM ARP IP DST=%pI4",
-                                        ap->mac_src, ap->ip_src, ap->mac_dst, ap->ip_dst);
+                        pr_cont(" ARP MAC SRC=%pM ARP IP SRC=%pI4 ARP MAC DST=%pM ARP IP DST=%pI4",
+                                ap->mac_src, ap->ip_src,
+                                ap->mac_dst, ap->ip_dst);
                 }
         }
 out:
-        printk("\n");
+        pr_cont("\n");
         spin_unlock_bh(&ebt_log_lock);
-
 }
 
 static unsigned int
diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
index 206dc266ecd2..346ef6b00b8f 100644
--- a/net/bridge/netfilter/nft_reject_bridge.c
+++ b/net/bridge/netfilter/nft_reject_bridge.c
@@ -375,11 +375,7 @@ static int nft_reject_bridge_init(const struct nft_ctx *ctx,
                                   const struct nlattr * const tb[])
 {
         struct nft_reject *priv = nft_expr_priv(expr);
-        int icmp_code, err;
-
-        err = nft_reject_bridge_validate(ctx, expr, NULL);
-        if (err < 0)
-                return err;
+        int icmp_code;
 
         if (tb[NFTA_REJECT_TYPE] == NULL)
                 return -EINVAL;